If you are reading this tutorial then you must have obviously read my previous tutorial on Nmap scans. If not then read it here.

B: TCP Connect() ScanRemember the three-way handshake?I hope you do.TCP Connet() Scan is just the normal three way handshake.

1: Firstly Nmap sends a SYN packet to the destination port.2: The destination post -if open- replies with a SYN-ACK packet.3: Now Nmap replies with a normal ACK packet and establishes the connection.4: But soon after establishing the connection Nmap sends a RST packet and breaks the connection.

The steps explained above were for open ports. In case of closed ports:1:Firstly Nmap sends a SYN packet to the destination port.2:The remote port -since it's closed- sends a RST response.

Nmap ------------------>SYN------------------->Remote port

Nmap<----------------SYN-ACK<----------------Remote port

Nmap------------------->ACK------------------->Remote port

Nmap------------------->RST------------------->Remote port

OPEN PORT

Nmap ------------------>SYN---------------->Remote port

Nmap<-------------------RST<----------------Remote port

CLOSED PORT

Sometimes it happens that Nmap sends a SYN packet to the remote port and gets no response. It means that a firewall is blocking the packet. Nmap declares these posts as filtered

Nmap ------------------>SYN---------------->Remote port

Nmap---------------NO RESPONSE-------------Remote port

FILTERED PORTS

TCP connect() scan is the default scan if you are running as a privileged user.

The syntax for TCP connect() scan in CLI is:nmap -sTremote I.P

Here -sT is the command for TCP connect() scan and remote I.P is the I.P address of the target machine you want to scan.

C: IDLE ScanIdle scan depends on a Zombie and IPID no.ZombieZombie is an idle station that acts as an intermediate between the Nmap station and the target I.P address. The zombie station should remain idle during the duration of the scan to maintain consistency in the IPID no.The other thing to note about zombie is that it could be any device from an idle server, a workstation or a printer.

IPIDFyodor very briefly explained the IPID no. and I just use his definition:Every IP packet on the Internet has a fragment identification number (IP ID). Since many operating systems simply increment this number for each packet they send, probing for the IPID can tell an attacker how many packets have been sent since the last probe.

IDLE Scan stepsNow back again to our three way handshake.Suppose computer A instead of sending a SYN packet to computer B sends a SYN-ACK. When computer B receives this unsolicited SYN-ACK it responds with a RST packet. This concept is very cleverly used in IDLE Scan.

1: Firstly Nmap station sends a SYN0ACK packet to the zombie. Thsi unsolicited SYN-ACK is responded with a RST packet. Nmap then notes the IPID no of this RST packet.

2: Nmap then spoofs the I.P add. of the zombie and sends a SYN packet to the target device.: a: If the port is open it sends a SYN-ACK response to the zombie. Zombie on receiving the unsolicited SYN-ACK responds with a RST.

b: If the port is closed then target device responds with a RST packet to the zombie. Zombie discards the unsolicited RST.

3: Nmap the again sends a SYN-ACK to the zombie and receives a: In case of open ports the IPID of zombie increments by two because zombie sent two paket--one RST to the target device in response to SYN-ACK from it and another RST to the Nmap statio.

b: In case of closed ports the IPID of zombie increments only by one because zombie sent only one RST packet to the Nmap station.